pid /run/nginx.pid;
user www-data;
worker_processes 1;

events {
    multi_accept on;
    use epoll;
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    server_names_hash_bucket_size 128;

    # Logging
    access_log off;
    error_log /var/log/nginx/error.log warn;

    # Timings
    keepalive_requests 100;
    keepalive_timeout 30;

    # Connection timings
    client_body_timeout 10;
    client_max_body_size 3m;
    reset_timedout_connection on;
    send_timeout 2;
    sendfile on;

    # Tuning packages
    tcp_nodelay on;
    tcp_nopush on;

    # Data compression
    gzip on;
    gzip_comp_level 9;
    gzip_disable "msie6";
    gzip_proxied any;
    gzip_types application/atom+xml application/javascript application/json application/rss+xml application/x-font-ttf application/x-javascript application/x-web-app-manifest+json application/xhtml+xml application/xml application/xml+rss font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component text/x-json text/xml;
    gzip_vary on;

    # SSL certificates
    ssl_certificate ssl/domain.pem;
    ssl_certificate_key ssl/domain.key;
    ssl_client_certificate ssl/cloudflare-origin.pem;

    # SSL configuration
    ssl_verify_client on;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_session_timeout 1d;

    # Modern configuration
    ssl_prefer_server_ciphers off;
    ssl_protocols TLSv1.3;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # Caching
    open_file_cache max=200000 inactive=20s;
    open_file_cache_errors on;
    open_file_cache_min_uses 2;
    open_file_cache_valid 30s;

    include /etc/nginx/conf.d/*.conf;
}